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Qaims 

1. A gateway for connectliig an external portion of a network to an Internal 
secured portion of die network wherein the gateway is arranged to identify 

s automatically when a communication session exists between two mobile 
workstations both of which are connected in the external portion of the 
network. 

2. A gateway as claimed in claim 1, having means for monitoring the source 
10 and destination of received packets. 

3. A gateway as dahned in daim 1. having secure communication means by 
which information is transferable securely to the two mobile workstations 
separately. 

15 

4. A gateway as claimed in claim 3 wherein the secure communication 
means radudes a first Security Association with a first mobile workstation and 
a second Security Association with a second mobile workstation. 

20 5. A gateway as claimed in daim 3 or 4» wherein the gateway is arranged to 
send, using the secure communication means, an identifier of a second mobile 
workstation to a first mobile workstation for use as an address in a packet 
originating from the first mobile workstation and destuied for the second 
mobile workstation 

25 

6. A gateway as daimed in daim 5 wherein the identifier of the second 
mobile workstation is a Home Address. 

7. A gateway as daimed in any one of daims 3 to 6, wherein the gateway is 
30 arranged to send, using tibie secure communication means, an identifier of titie 

first mobile workstation to the second mobile workstation for use as an address 
in a packet originating from the second mobile workstation and destined for titie 
first mobile workstation. 
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8. A gateway as claimed in claim 7 wherein the Identifier of the first mobile 
worlcstation is a Home Address. 

9. A gateway as claimed in any one of claims 3 to 8, wherein the gateway Is 
5 arranged to send first security information to the first mobile workstation and 

second secmity information to the second mobile workstation using the secure 
communication means, wherein ihe first mobile workstation uses the first 
security information and the second mobile workstation uses the second 
security information to enable a second secure communication means by which 
10 further information Is transferable securely between the first mobile 
workstation and the second mobile workstation without passing through the 
gateway. 

10. A gateway as claimed tu daim 9, wherein the second secure 
15 commiuiication means comprises Security Associations. 

11. A gateway as claimed in any one of claims 1 to 10 wherein the gateway is 
further arranged to Identify automatically when a mobile workstation moves 
between the internal and the external portions of the network. 

20 

12- A network including an internal secured portion which connects, via a 
gateway to an external portion, the network comprising a plurality of 
workstations including mobile workstations; the gateway and secure 
communication means by which Information is transferable securely to a first 

25 mobile workstation in the external portion of the network via the gateway and 
by which information is transferable securely to a second mobile workstation in 
the external portion of the network via the gateway; and information transfer 
means located within the internal secured portion of title network or within the 
gateway and arranged to send, using the secure communication means, an 

30 identifier of the second mobile workstation to the first mobile workstation for 
use as an address in a packet originating from the first mobile workstation and 
destined for die second mobile workstation. 

13. A network as claimed in daim 12, wherein the information transfer 
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means is furtber arranged to send, using the secure communication means, an 
identifier of the first mobile workstation to the second mobile workstation for 
use as an address in a packet originating from the second mobile workstation 
and destined for the first mobile workstation. 

5 

14. A network as claimed In daini 12 or 13 wherein the identifier of a mobile 
workstation is a Home Address of the mobile workstation. 

15. A network as claimed in any one of claims 12 to 14 wherein the secure 
10 communication means provides an encrypted communications channel to the 

first mobile workstation and an encrypted communications channel to the 
second mobile workstation. 

16. A network as claimed in any one of claims 12 to 15 wherein the secure 
15 communication means comprises a first Secmity Association and a second 

Security Association. 

17. A network as claimed in any one of claims 12 to 16 wherein the gateway 
is arranged to detect a communications session between two mobile 

20 , workstations which are connected at the external portion of the network. 

18. A network as dauned in any one of claims 12 to 17 further comprising: 
means for dynamically updating an Identifier of the first mobUe 

workstation as it moves within the external portion of tbe network; 
25 means for communicating the updated identifier of the first mobile 

workstation to the second mobile workstation; and 

means for sending packets from the second mobile workstation to the 

first mobile workstation using the second secure communication means, 

wherein the packets are addressed using ibe updated identifier of the first 
30 mobile workstation. 

19. A network as claimed in daim 18 wherein the updated identifier is a 
Care-of-Address. 
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20. A network as claimed in any one of daims 12 to 19 wherein the network 
is arranged to use private addresses to communicate within tiiie internal portion 
of the network and fhe identifier of the second workstation is a public address. 

5 21. A method of securely routing communications between a first mobile 
node and a second mobile node of a network including an internal secured 
portion which connects, via a gateway to an external portion, comprising the 
steps of: 

maintaining a secure communication means by which information is 
10 transferable securely to a first mobile node in the external portion of the 
network via the gateway and by which information is transferable securely to a 
second mobile node in the external portion of the network via the gateways 

sending an identifier of the second mobile node to the first mobile node 
using the secure communication means; and 
15 addressing a packet sent from the first mobile node to the second mobile 

node using the identifier of the second mobile node and routing the packet, 
using the Identifier of the second mobile node, from the first mobile node to 
the second mobile node, not necessarily via the gateway. 

20 22. A method as dainied in claim 21 further comprising the steps of: 

sendtQg an identifier of the first mobile node to the second mobile node 
using the secure communication means; and 

addressiQg a packet sent from the second mobile node to the first mobile 
node using the identifier of the first mobile node and routing the packet from 
25 the second mobile node to the first mobile node, not necessarily via the 
gateway. 

23. A mobile workstation for connecting to an external portion of a network 
tiiat includes an internal secured portion connected, via a gateway to the 
30 external portion, comprising: 

means for using a secure conmumication means by which information is 
transferable securely from the internal portion of the network to the mobile 
workstation via the gateway; 

means arranged to receive, via the first secure communication means, an 
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identifier of anotitier mobile workstation also connected to the external portion 
of tiie network; and 

means for indudtng &e identifier of the other mobile workstation as an 
address in a packet for transmission to the other mobile workstation. 

5 

24. A virtual private network including an internal secured portion which 
coimects, via a gateway to an external portion, the network being arranged to 
communicate within the internal portion of tiie network using private addresses 
and comprising: 

10 a plurality of workstations including mobile workstations; 

the gateway; 

first secure communication means by which information is transferable 
securely to a first mobile workstation connected at the external portion of the 
network via the gateway and by which information is transferable securely to a 
15 second mobile workstation coimected at the external portion of the network via 
the gateway; and 

information transfer means arranged to send first security information 
to the first mobile workstation and second secmity information to the second 
mobile workstation usiog the first secure communication means, wherein the 
20 first mobile workstation uses the first security information and the second 
mobile workstation uses the second security toformation to enable a second 
secure communication means by which further information is transferable 
securely between tiie first mobile workstation and tiie second mobile 
workstation without passing through the gateway. 

25 

25. A virtual private network as dauned in daim 24, wherein the further 
information is transferable in packets using pubUc addresses. 

26. A network as daimed in dahn 24 or 25, wherein the first secure 
30 communication means provides an encrypted communications channd to the 

first mobile workstation and an encrypted communications channd to tiie 
second mobile workstation. 

27. A network as daimed in daim 24, 25 or 26 wherein the first secure 
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commimlcatioii means comprises a first Security Assodatioii and a second 
Security Association. 

28. A network as claimed In any one of daim 27, wherein the first Security 
S Association is from the gateway to the first mobile workstation and the second 

Security Association is firom the gateway to the second mobile workstation. 

29. A network as claimed In daim 28 wherein tihte first Security Assodation 
is from the internal portion of the network to the first mobile workstation and 

10 the second Security Assodation is from the internal portion of the network to 
the second mobile workstation. 

30. A network as claimed in daim 27, 28 or 29, wherein commimlcations 
using the first and second Security Associations use addresses which are 

15 private. 

31. A network as claimed in any one of daims 24 to 30, wherein the second 
secure communication means provides encrypted communications channels 
between the first and second mobile workstations. 

20 

32. A network as daimed in daim 31 wherein the first and second security 
information define the encryption/decryption of the encrypted communications 
channels. 

25 33. A network as daimed in any one of dalms 24 to 32 wherein the second 
secure commimication means comprises at least a third Security Assodation 
from the first mobile workstation to tiie second mobile workstation. 

34. A network as daimed in claim 33 wherein first and second security 
30 information defbies at least the third Security Assodation. 

35. . A network as datmed in any one of daims 24 to 34, wherein at least a 
portion of the first security information and at least a portion of the second 
security information are created within the internal portion of the network. 
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36. A network as claimed in any one of claims 24 to 35, wherein the gateway 
Is arranged to detect a communications session between two mobile 
workstations which are connected at the external portion of the network. 

5 

37. A network as claimed in any one of claims 24 to 36, wherein the second 
secure commiuiication means is enabled by the adaptation of databases in the 
first and second mobile workstations. 

10 38. A network as claimed in any one of claims 24 to 37, further comprising: 
Information transfer means arranged to send, using the first secure 
communication means, an identifier of the second mobile workstation to the 
first mobile workstation for use as an address in a packet originating from the 
first mobile workstation and destined for the second mobile workstation. 

15 

39- A network as claimed in claim 38 wherein the identifier of the second 
mobile workstation is a Home Address. 

40. A network as claimed in claim 38 or 39, wherein the identifier of the 
20 second mobile workstation is a pubUc address. 

41. A network as claimed in any one of claims 24 to 40 further comprising: 
means for dynamically updating an identifier of the first mobile 

workstation as it moves within the external portion of the network; 
25 means for communicating the updated identifier of the first mobile 

workstation to the second mobile workstation; and 

means for sending packets from the second mobile workstation to the 

first mobile workstation using the second secure coromunication means, 

wherein the packets are addressed using the updated Identifier of the first 
30 mobile workstation. 

42. A network as claimed in claim 41 wherein the updated Identifier is a 
Care-of-Address. 
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43. A method of securmg commimicatloiis between a first mobile node and a 
second mobile node of a virtual private network including an internal secured 
portion which, connects, via a gateway to an external portion, comprising the 
steps of: 

5 communicating within the internal portion of llie network using private 

addresses; 

maintaining a first secure communication means by which Information 
is transferable securely to the first mobile node in the external portion of the 
network via the gateway and by which information is transferable securely to a 
10 second mobile node in the external portion of the network via the gateway; 

sending first secuGtlty information to the first mobile node using the first 
secure communication means; 

sending second security information to the second mobile node using the 
first secure communication means; 
15 creating a second secure communication means in the first mobile node, 

using the fo'st security information in the flrst mobile node and the second 
security information in the second mobile node; and 

using the second secwe commxmication means, and not the first secure 
communication means, for transferring further information between the first 
20 and^ second mobile nodes while they both remain in the external portion of the 
network. 

44. A mobile workstation for connecting to a virtual private network that 
includes an intemal secured portion connected, via a gateway to tiie external 

25 portion, and for communicating while in the intemal portion using packet 
addresses which are private to die network, the mobile worlcstation comprising: 
means for using a first secure communication means by which packets 
addressed to tihe private address of the mobile workstation are transferable 
securely from llie intemal portion of the network to the mobile workstation via 

30 die gateway^ 

means arranged to receive, via the first secure communication means, 
first security information for enabling a second secure commimication means; 
and 

means for using tibie enabled second secure communication means to 
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securely receive further packets, addressed to a public address of the mobile 
workstatloiif from another mobile workstation also in the external portion of 
the network* 

S 45. A mobile workstation as claimed in claim 44 furtlier comprising a 
database and means for modifying the database in response to the received first 
security information. 

46. A mobile workstation as claimed in claim 45 wherein the database 
10 includes a Security Association Database (SAD) which is modified to include a 

new Security Association- 

47. A mobile workstation as claimed in daim 46 wherein the database 
includes a Security Policy database which is modified so that packets for the 

15 other mobile workstation use the new Security Association. 

48- A virtual private network Including an intemal secured portion which 
connects, via a gateway to an external portion, the network being arranged to 
communicate within the internal portion of the network using private addresses 
20 and comprising: 

a plurality of workstations including mobUe workstations; 

ibe gateway; 

secure communication means by which information is transferable 
securely, without passing through the gateway, between a first mobile 
25 workstation connected to tbe external portion of the network and a second 
mobile workstation connected to the external portion of Hie networlq 

means for dynamically updating an identifier of tbe first mobile 
workstation as It moves within the extemal portion of the network; 

means for coromunicatiug the updated identifier of the first mobile 
30 workstation to the second mobile workstation; and 

means for sending packets from tihe second mobile workstation to the 
first mobile workstation using the secure communication means, wherein the 
packets are addressed using the updated identifier of the first mobile 
workstation and are routed wiHiout necessarily passing through tbe gateway. 
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49. A network as claimed in claim 48 wherein Hie updated identifier is a 
Care-of-Address. 

5 50. A network as claimed in claim 48 or 49 wherein the, secure 
communication means provides encrypted conmumlcatlons channels between 
the first and second mobile workstations. 

51. A network as claimed in any one of claims 48 to 50 wherein the secure 
10 communication means comprises a Security Association from the first mobile 

workstation to the second mobile workstation and a Security Association from 
the second mobile workstation to the first mobile workstation. 

52. A network as claimed in any one of claims 48 to 51 wherein the secure 
15 communication means is enabled by databases in the first and second mobile 

workstations. 

53. A method of optimising the routing of secure communications between a 
first mobile node and a second mobile node of a network including an internal 

20 secured portion which connects, via a gateway to an external portion,, 
comprising the steps of: 

communicating within the internal portion of the network using private 
addresses; 

creating a secure communication means by which information is 
25 transferable securely, without passing through the gateway, between a first 
mobUe node of the external portion of the network and a second mobile node of 
the external portion of the network; 

moving the first mobile node witiiin the external portion of the network; 
modifying an identifier of the first mobile node in response to its 
30 movement; 

communicating the modified identifier of the first mobile node to the 
second mobile node; and 

sending a packet from the second mobile node for reception by the first 
mobile node, without necessarily passing via the gateway, after addressing it 
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iising tibte updated identifier of the first mobile and securing it using the secure 
communication means. 

54. A mobile workstation for connecting to an external portion of a network 
5 that includes an internal secured portion connected, via a gateway to the 

external pordoni comprising: 

means for communicating using private addresses when in the internal 
portion of the network; 

means for enabling and using a secure communication means by which 
ID information is transferable securely from the mobile workstation, when in the 
external portion of the network, to another mobile workstation connected to the 
external portion of the network witiiout passing tlirou£^ tiie gateway; 

means for receiving an identtfler of the other mobile workstation; and 
means for sending packets, when in the external portion of the network, 
15 to the other mobile workstation using the secure communication means and 
the received identifier. 

55. A mobile workstation as dattned in claim 54 wherein the identifier Is a 
pubUc address. 

20 

56. A mobile workstation as claimed in claim 55 wherein the identifier is a 
Home Address or a Care-of-Address. 



